Cybersecurity Expertise: From the White House to the C-Suite

FTI Journal Profiles Anthony Ferrante

In this Q&A from the FTI Journal, Anthony Ferrante addresses the growing cybersecurity threats affecting U.S. businesses today. Anthony has personally witnessed the rapid evolution of cyber risk and discusses his intelligence-led, strategic approach for addressing the cybersecurity threat to corporate America.

This piece was originally shared on FTI Journal and is republished here with permission.

As the former Director for Cyber Incident Response at the U.S. National Security Council and the former Chief of Staff of the Federal Bureau of Investigation’s Cyber Division, Anthony J. Ferrante has seen cyber risk evolve from a niche focus of intelligence agencies and information technology professionals to a true national-level challenge.

This challenge emerged quickly and is now accelerating rapidly, making it difficult for America’s organizations to keep up. Because of that, cybersecurity has vaulted into the boardroom and created a pressing need for a more formal approach and expertise.

Ferrante joined FTI Consulting in April as a Senior Managing Director and Head of Cybersecurity in the Global Risk & Investigation Practice. Prior to joining FTI Consulting, he coordinated the U.S government’s response to unfolding cybersecurity crises and issues (including the Russian attempts to meddle in the 2016 Presidential election) and has provided incident response and preparedness planning to more than 1,000 private sector and governmental organizations. Included among them are more than 175 Fortune 500 companies.

Here, Ferrante discusses his intelligence-led, strategic approach for addressing the cybersecurity threat to corporate America.

FTIJ: We seem to hear about cyberattacks almost daily. Despite our current technological advances, why do you think they persist?

Ferrante: As we continue to connect more and more of our infrastructure to the internet, as we build out the “internet of things (IoT),” and as the resulting ecosystem relies more heavily on automation and machine learning, we create more entry points for attackers. Cyber risks become more frequent and more serious. Because of this, the cyber threat is evolving rapidly, becoming progressively broader and more dangerous. Incidentally, more than 90 percent of Americans report that they cannot protect their own personal data.

FTIJ: From your experience, what is the most vulnerable point of access for malicious cyber activities in corporations today?

Ferrante: A company’s cybersecurity posture is no different from their physical security posture — a company is only as strong as its weakest link. Companies need to invest in cybersecurity holistically and consider their cybersecurity from a 360 degree perspective — from deploying best practices to ensuring their staff is fully trained and aware of the latest emerging threats targeting their industry. Seasoned investigators may also have a network of personal contacts acquired in past investigations who can help ferret out hidden assets with a piece of local intelligence or industry gossip. So, when asking who should look for assets, consider retaining a professional investigator.

FTIJ: Executives themselves have lately become high-profile targets from attackers using more sophisticated methods. What are some of those threats?

Ferrante: Executives are constantly being targeted by malicious cyber actors for intentional deception, either for personal gain or to damage the executive’s reputation. A well-known example is the threat of sophisticated phishing campaigns. These campaigns are often used to deliver targeted malware to enable remote access of the target’s computer and possibly infrastructure. Once a malicious actor gains access to your systems, their motives can range from theft of intellectual property to financial gain, strategic misinformation campaigns (unauthorized disclosure of sensitive communications), platform utilization to target another company, storage of illegal content and a variety of other malicious uses.

FTIJ: Would you say many executives today underestimate the vulnerability of their corporations to attack and/or compromise?

Ferrante: Yes. Cybersecurity threats are a new and complicated factor to consider in assessing corporate risk. Executives have a special responsibility — and a unique opportunity — to set policy, define employee expectations and employ the appropriate individuals and practices to secure their networks and ensure continuity of business operations.

FTIJ: Where do these threats primarily come from?

Ferrante: Cybersecurity threats originate from all over — both external and internal to an organization. [See sidebar “Continuing Threats” for discussion of additional threats.] One is nation-state actors. Specifically, these are foreign government, or government-directed, organizations targeting your organization to erode economic stability or steal your intellectual property, which in turn influences the political and diplomatic landscape and/or destruction of your operations. Last year’s election brought nation-state-sponsored malicious cyber activity acutely into the public spotlight when the U.S. intelligence community assessed that senior Russian officials worked to influence the 2016 Presidential election. Cybersecurity threats from nation-state actors are going to continue to grow in scope, scale and sophistication. As our advancements in technology increase, so will our adversaries’ use and exploitation of it for illicit means. We mustn’t forget the internal threats posed by either an internal malicious actor or misconfigured infrastructure that will disrupt operations and expose vulnerabilities to your organization.

FTIJ: What are some practices executives should employ to improve their posture against cyberattacks?

Ferrante: The first thing is to create internal policies and risk management practices that inherently demand good security practices by all. These policies and practices may cover a variety of topics depending on the business, but some areas they might include would be: adopt proactive prevention, define and identify the data that needs to be protected, evaluate email controls, implement enterprise-wide security controls and regularly test those controls. Also, executives should insulate the business’ infrastructure and define the parameters for preparedness planning and testing — plan the business’ continuity operations.

Second, executives can increase employee cybersecurity awareness and accountability by implementing a system that provides employees with opportunities to improve their skills, test their abilities and understand the risks of poor security practices. Finally, executives can determine when they have a cybersecurity issue that is beyond their business’ ability to resolve and should not hesitate to rely on industry subject matter experts to supplement their internal resources.

Organizations that rely on information technology systems alone to secure their business operations against a cyber adversary have failed or will fail. An organization needs a dynamic intelligence-led cybersecurity team that has the expertise to understand, think and act offensively and defensively to combat the ever-changing cyber threat landscape.

FTIJ: Describe your approach to threat-hunting operations. What is the first step you take to assess corporate vulnerability?

Ferrante: We approach an operation just like a threat actor would approach their attempts to conduct malicious activity. Once we have a better understanding of our clients’ infrastructure through an open source vulnerability assessment, we deploy a variety of digital tools and human techniques observed throughout our 20 years of experience.

FTIJ: Some corporations reach out only when an incident occurs. How would you help a corporation with remediation efforts?

Ferrante: We help corporations surge their capabilities, either by serving as their incident response team or by augmenting their existing capacity to respond. For corporations that fall victim to cyber threats and aren’t prepared to address those impacts, we would deploy a vigorous response that minimizes the damage to the company’s reputation and its bottom-line operations. We help organizations understand their own environments, harden their defenses, rapidly and precisely hunt threats, provide a complete response to crises and sustainably recover operations and reputation after an incident. A proactive posture is always best. But we can help organizations recover from unexpected and unplanned, impacts.

FTIJ: What’s your approach following remediation to move an organization towards long-term proactivity? What is the first step you take to assess corporate vulnerability?

Ferrante: In the moment of crises, we are keenly focused on containment, remediation and recovery, for both a business’ operations and reputation. After the incident is remediated, we work with affected entities to plan for future incidents targeting their organization that will inherently shift their approach from reactive to proactive. Our plans are personalized and scalable, so clients can choose a range of services that will work within their existing business plans and budgets to provide added security going forward.

Continuing Threats

In addition to nation-state actors, Ferrante identifies these six continuing threats to corporate operations and reputation.

1. Theft of Communications: The unauthorized disclosure of personal and confidential conversations posted to the public internet — both in email and through telephone conversations — will continue and increase in scope and scale. Recent disclosures have led most of us to be more cautious about what we say in our email, but we overlook our telephone conversations. Many of our conversations ride over the same internet backbone as our email and that data is just as vulnerable to collection and unauthorized disclosure.
2. Destructive Malware: The use of destructive malware by both nation-state actors and criminal actors will increase in sophistication and consequence. It should not be surprising after the success of global attacks such as Petya/NotPetya last June, or the destructive malware attack against Sony Pictures Entertainment in 2014.
3. Ransomware: Approximately 4,000 daily ransomware attacks occurred in 2016, a four-fold increase from 2015, reports the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT). While ransomware defenses are improving, the revenue that malicious cyber actors generate from those who pay ransom means they will continue to deploy this tactic. Further, the dark web is offering Ransomware as a Service (RaaS). This is creating easy opportunities for more criminals who lack technical sophistication to launch this type of attack.
4. Distributed Denial of Service (DDoS) Attacks: These attacks, which overwhelm a system with data, rose in the first quarter of 2017 over first quarter 2016, indicating a growing risk. Researchers believe the increasing frequency stems at least in part from the rise of the internet of things, which has provided a huge number of poorly secured internet-enabled devices for hackers to use in bot nets.
5. The Internet of Things: In a recent survey, 96 percent of IT professionals said they expect to see an increase in cyberattacks on industrial IoT devices in the coming year. That’s not surprising given the estimated 5.5 million new connected devices that came online each day in 2016.
6. Social Engineering and Human Error: Are humans the biggest cybersecurity vulnerability? Quite possibly. Humans increasingly rely on technology to make their lives easier and achieve results with the use of an interconnected computer network. Vulnerability can come through carelessness, a disgruntled employee seeking revenge or victimization of an employee by a sophisticated cyber attacker.